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il) Keal FarlY In intecesl 

The real puji> in i licresi m tlic above appHeatibii Is M&im Hetwork«, Im. 
{ It) Related Appeals and Interferences 

The appt'liant h mn aware oi an> appcab or xntcrtcfc^nces related io the ab<ne jdcnuucd 

oalc«t application, 

n. is . ai UoL 'ht ^^(.'-^uM o( ihtr Primary J-xauiux-s. :n an OliRe diiiod 
Ma^ ^2. ;{H)6, Kiociiusj olainjs 1-25 and 2"-34, ail of tlie claims ni the appucauou liicre wa*- 
at<l a claim 26 Oiigmally filed. Ciiums 1-25 and 27-34 arc the ^ubjcct of thii> appeal 

(h.) StalBS of Aniendnjents 

S,i t.- Las' M CM a Rep ^ c> K Ol' V'lo sd ( M " \)< ■ > n> n " ^ ^ ^ :b 
tis >T ia ' V J UoU a. so noiidvo l a .u'^ { and 1 1 k> vf)iK>s.{ 'i.t, .''iK>! I .t,- | \)!uti-« out ox 
Lie ir . .X ^o'-'eL.ed i>nnoi i.ik inki.utev m clann 3 Appt-ilanl aKo aitcmptcd to 
*cnunio^ica ^.iai 27 3-4 a*> cUnm* 2(-}-33 

In an ad\ Hor> acuon daicd September 6, 2006. the exa lis ner did not venter the auer iptcd 
K nxu^iking ot t h inis 27-34 elutmg instead tt detei rt-TUunbtnng bv txai uae? aircndniom 
u J < Jt!\\a}Ke 0*hct\^ise. tlic examiivr mdtcatcd etitty of the atiiei dn cnt AccordmgK, al! 
MiKiinsM 5 shawtHv i oieu XppLSLrr iLJ a NoliUM)! Appeal on At gi st 14, 

i V.5 Ssumiuary oi Claimed Subject Matter 

Claim I 

(>, s Kv. \ iv' t ' s. Oil in V. trills 1 0 Ui t v\ I'-W'-^K 

-> i ) ^^iu\ •! ^ <! d V i.'v.uu<,iic 'Rciem j,te i Kj 1 ahai^n si . > 
f) s > ^ito^k-- iOoS atk54.k.s) 1-! shown |Apf>o!ia n\ spccditation Pagt 4 

I'Tu 1 So«i^e oi a! ^>f {:.ie dcpio)cd nron tot do\ ucs in the asTangemcRt uxo pros isjoacd 

mouuoss ' lAppf'k i^"*- sp(.(.tlK< lioi) P*^gc hnos 29 M)i 




n ! kI } n ihMttt. dis>io^cd to t \an m nti ^ >.5 i tf I s \ 

vciiu ;u }k vOispK iUs^Ku Lais Rckrnng'KH^ lolld 2 th^ d i*a tcuiw 2< n s uuir 
oi inks 2la Zhi w n tlii. hucmet 1 1 I at.h citsiomtr t u*^ <- ^ < N ioi N vus^omtis > ol txic Uato 
cvHtcr IS ON-^ocjatec \Mth a set oi adtlRsv^s \i 1 ht. pio\ isioned monitoi has a ju^tk^n oi liibouiy 
■51 d fJUboLjpd I .'il obtained dnvUix om Uk phvMci'lJii ^nansnnt hid 5 <i. \ m's 

atv'^tlS \\ t.5 n Kt \ M\ ! ^ d U K>.UltJ 0\(. tl>U| 1^ i j"? ^ u \ I 

^iMon LIS hv txapnn ns. uJI.«. a*- { Jit, dcMcv \\as aisfXJ^td unks J dt <.u do s su>, u ! iio i 
h«. coupled Imk^ that pio'i'jsjoncd mopitor is toupled vO 'l^rooe^ 26*» *>6n p<.rtoi « stvv. 

iuucuoTis such <is «p3«^g <>f patki^is and colled inioimauun per^aiuing lo siatistivai i>r< ptrbts 

i.H L p K ^t.ts I \^peiiant s spccjtscatkm P<igc 8, Imcs iO H] A sei\Kt. o'^ u ha 

^ d a p )usio lesJ* p-'on ^ >i 26 «.o i!d peiiorm jn?>ess ttlteiw hattiv ti ti. ig •> i U o k 

t ! <.!Nki s ! hp ^ n ( i la his s i\ i\ o *bo n' > s^^iswui 

mkf o% I N() irv^t iidi^KSNC^ luux in <n\ address oi addass spact \i} \ ^ ^.o^»^ ds.'^td u 

%m^\i iim^ iiom un lujvisioned customers radiei thdn bemg pan of a spooicd DoS attack ' 

I Appeiiant s specii jcation Page / . I mes 22- 281. 

Clmm 7 

(lain is al0l^c^ aNpeti ut Ik mvuuiop Clam s^o c ndif. i I od 
{^^ « atu.g dt \ui\ oi sen ice attacks on a \ Ktim data center coupled to a network s kan tc s 
simported Dv ihe asjaiogous ieature ol claim I andMG. 7B. 

Imc ii vc features ot tiaint " mciude collectuig usmg a pio\{sioued ntoii vO*- sva^ slicJ 
'n in»ution '•ti ^avs;. is that aw set i between a network aid « pSi'-^ahK ot ".un >n rs If 

^ ki i> ) \i { Ih V O Nwi. d imks I Ukd^t UU is I U i \U \ 

■> iiX ^ (. i \N 1 it (R O ilSl (. U 1 llOmli.t S ki.1 J i S tM pi*. Ji !. 1 

i 1 SI. f I i (. U s s -^j v> d tlH Hi i\o^K US 't UK ^ i. !l i 1 

h ^5 \v c umt- ol <,i iU7) ' aiso iiitiud^ coiiunu luatn^g da " vi a dv.u!vaic * )U unl 
i< a tonnol t -"lior Hi s {oatu^'t' 's s jppcmvd as the analogous *cainrv; o* <.iain 1 at t Iri sonic 
OTPhodimc*) s t K tvmtio vc itoi 2 1 is innpled to tiic gatev* a-* s ''6 nd dasa colk ^to5*« 2K bv a 



auacker. [ '\ppe!ia!ii\-> hpecsfication i*agc 5. line^ 16-2()! 
Clmmll 

Arsother aspect oftl-ie invxnjtion is csjvered by ciaim 1 1. Claim ! I is dimted to m 
, n"Lnes UmumUoi a In v ]icu> con t l 'U ui. t ^.iv <>ik .ot n"w .\-'Jsz J. nas o' 

hnentuc teaimcs t)f clann 1 1 mdude, a proMswiicd monuor, placed on »v.'lccicd links hi 
ihc data ccnlci Ciat llic pros isioncd monitoi examines tratYtc emitting or nig ihat data 
ooHHT m the setcotcd hnkv and collects statj>.tica{ mfonnation for s plurahlv o: jXCiv?s>K)ned 
cuMuincrs, v»hich are on is \ks that mc ckmmtream trom the seioclcd Imk^ that the provis otial 
monitor i\ d\spo^^d oti 'I i j- L\Uf '-t 's supported bv ffic an<tlog(?us !c<^ifno \nr 1 I bo 

proaMOiicd riiojvio: Kccp^-^ vpaui^c axuwct !ogs 52a 3"'d toi caclt aiOMsiotiul ous{on\-i fMUaa' 
nionttor/," | AppelluTE's speciiieaiion Page 1 1 , lines ^9-31 j, 

Inventive ieatures of dmxi I i &ho include a global a-)miter log that accounts ibr all 
tiatCic seen oti the hnk that ihc pRHssioncd monitoi is coupled to. " , as well a global counter 
log 52 tMt acctHmis for all traffk $eeh m the \'ii\k" j Appell^Bi's speeifkiition Page 11 , iiiiss 3 1- 

m. 

Claim 24 

darni -;J4 IS dt'Cv.ed a xtio iuxi oi th\\a tmg attacks on a \Ktmi data centci uutpled to a 
f.uuoik Thi- c i^ire 's si ip rit 'b tht* aiuUogous foaure of cUjni 1 and ilCr "V 

I <^ UI s a i lUs'K ! 5? n tU 1 I > US Ot 

p o^j-so Kt. <.! t (.ss i nl .V lUm n u ■v> oh x !< )U v <,! s 

RcicnipgUv)H Kj „ s ! data center 20 has . pi ivn \l jnx-, 21a 21u with the Im^nKt 14. 
I avh cu-»ionic} C > ' h hn N customers) ol the Ja'a ^,uitci is associated \s /h a ^<.t oi 
at dresses \5 i i^, nio\ isiontd iTK>nuor has a notion oi mbcnnid and outbound pat.kets obtained 
d.'-iS.tH liom i} K pinsKal hnkS uansmit and receive poits ' i Vppellant s spccr^cat on Page 7, 
lines 6- M|. 
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rio-> c >i\h\ <\ jiuhal r^nuUci log thai acroiuUs* tor all tr.uVic ^con txio I'mI- v^r 

Vv;j;cn ..t)IIv;s„ung DCvUi*. This icvture is suppoUcd d.s Uic ^snalogous Icatiire ot cianu 11. 'lli^.h 
prin isjoncd niotuUn- keeps separate counter log,< 52a 52ci for each proviMonod cusK^mcr (viruial 
mojiuort," [ Appeilant's spccificaiion Page J 1 , lines .79 3 1 j " as we!- a? j ^ib^h'-j counkT log 
52 thai aceotiiJts for ail n'affic seen on the link/' [AppeHani\s .specHicanou Page 1 1 , Ihies^ I J | 

<MmM 

Claim 2^ is directed to a method of thwaiting atuicks on a victim data center coupled to a 
network. This ieature is .suppofted as the «inatogous feature of claim i . 

fmentive feastires of claim 29 indiide collecting statistical information fr-r a phirahiy of 
iiiiks tiial arc dowmucam from links on v^hich collecting occuh. Thi^ feature s --i^ppw-.tett a$) the 
analogous feattire of clan. i t I 

lnvs.nti\e features ot ch-AW 29 inchuk pcrlornung traffic anais^i^ on tnc ccilecitd 
■statistical inforu-sation on a per downstream link basis to identify malicious traffic. "Packet 
analysis for a particular vinual monitor happens by classifying packets based on addresses ai the 
*^ire of the anahs^l.s " I Appellani's specification Pago 12, Hncs 3-5f. 

!ms-ntvv .vU'' (.'N <>! .M'n ^^'.d-v) -KiUi-k' <.oinnnirtcarni' alert Ivii hv>jn the 
•jaffu .''.a^x^j" " ] re i.K^'JxH a s<> ■lurjdv.'M.vMinnuineatH^ir ^sicus tnai tji'-c t .va ix traiuc 
analysts." | Appellant's specification Page 2* line 31 to pttge 3, Hne 2]. 

(yk) fef «imd of Rejfectioft tti b« Re viewed on Appeal 

Claims 1-25 and 27-34 stand rejected ntjder 35 U.SX'. l{)2(e) as being aptieipated by 
loele et ai US Patent Ho. 7,{K)7,29^. 

(vil.) Argument 
Aaticipaiion 

"It well seulod that anticipation under 35 ll.S C, §102 rcquiies the pie.scuce m a snigle 
^etcience of all of the ekn^t,tifs oi a cLumcd mve ttion " Fv, utti- Chopm, 229 U.S P.Q. 230, 
231 (BPA&i ;aKi e.ises cued 



\ ii I i. i t-N J c picsuico u a smf k } iH i art disv-lo^u t 0( \ w 5 * <. ' 
V 'If L } o u u XI f I is juthotiaur ' ConHeU\ .Sf'fr^ Ro(btf<.k s. ( i> 220 U S PQ 
1.93. iy» Cl-ed. Csr. 1983). 

■ I hiN c«;U5t has Ttpu tedh st<jU*d that ihv* dtknxc ni l<Kk of noxcUs u v? a il vipa.um , 
can 01 h he c^staDl^hed by a single piior axt ^efe^cIlCe v-hivh diNcloses ea^o ^nd o\ers clement 
UjctkMjJoMMtnh VI " Siruivaal Riihhif Prod Co x Pa A 22 M :s PQ I2(> 

li 5 1 'tus iiK ( ou * v>i \pp^ah kii int. i ultiui < ii jp a 'h ^ 
hja' .n 5:;\eis ». j.aal ot inoihn tur judgnicm n o.\ att<.i a <iu} ithug iha! ch jjns vv^\c 
aniitjpatca J<fSni'si)tjr\ Corx \ Imu n ifiditsmal Prod /«r > 225 U S P Q, 253 ij-cd ('u l^^br) 

Atlt.1 qijofiig fro Connetl "Auticipatifni requires ihc pre encc m a i>mgic prior aa 
lijsclo^-ure tx aV jk^nt; its oi a claimed uivciuion aum ged ai> in the ciauu," 22*^ U S Q as. 256 
iic -'oait o'-^scixed tUa^ fic mncnitc aceoiTiplishcd acons.atu ugfu conitxt s > a !)< 11 x<JvC i-> a hp 

i,\ -vM ' ! < s« 'i^l , 1*0 'cscs i! i {'K \ vPi IJK XI i 'ho 1 p <\' tv> n 5 I'u 
< jc:.* v%|icrs„ J\ hoi. s\ hi he pLu t,d fiiiCi was liu ^ dcllettod alter Uio hall was a^NCsr^k'fi nto *Lt 
\ ai\e Because ot thn constant pressure. The patented valve was Je»citbcd a\ pros idmg a 
aailjci iarh good veal Vvhen rcgulalmg a low ptcssuxc vSiream, 11 c eourt quoted with appros'ai 
f-cnr a 1%7 Coust of C^'lasms decjsio \ adopting ihe opimon of fhi;n Conmnssiout;! and iales 
Judge Donald h. l.yne: 

nKaib dial *hc !ip u ntacis tiic bail vs iJi i k tv'ii t 
\ iovtdc a iiiui ught st,al Ihe S< wxi { u <. u q 
onh '•t.alin ' ^ engages tlie ball 1 on ihc sij ^irejip side <- 
i> !i t pKssurv. f( ices die hp again t tlie ball and nev t 

il fi i { ^ ' 'cs 1! c bail on the dos>'iisireai 1 side bt eauss. 

^.K i f > }ln i -> CSS lu dKii. fo |i Kt n 1 t isj } 

i \\ IKS m ^.i-^ -^cai TU M C d ^ i i. 7 1 s s 

) i. ^ i !«.} d^pLnds ipon th b tit ( k vs inlt { <, 
i tki il oi I <- lUfg Uiesv-a! >i Sat ndv'"s depends 
I i i lit. von! Kl he wuMhi. )ali aixd he hods of 
K s j1 i un<^ 1 lu tht. i{an<ie oi tp scabngK co Uavts ibe 
is <_ ! ns iCtin side ■i\hen tlK *!i id pies^tuit. mci eases 
225 U ,S.1>.Q. at 258. 



arranged in the <.him In re Certan, I'hpfn Dnl Diues a J Cotupof eun xh<.'}"<>t; 2.2" 
f"Si Q 982 %5iLS irCi<)85) 

Claims 1-25 and 27-34 are otot auticipated by 
loele et al US Patent No, 7,007,299, 

v.:ui««s I aiia 5 

representauve oi ihis group of dawns, 

CXfXm I dHettc4 to d monttoxmg de% ice disposed iivc thwarting donial servitc attacks 
m a data ccnttt C 'ami i mciudcs the tcdiure ot a dcs ice coupied to pbj'^ic.il links oemocn tiK 
vina center ai-^t v' u iv ui k %\ ith tlto de\ icc di^,poscd to exatninc tratf ic cntcnng or lea% ing thai 
d ui v.tiiti,r on f K coui^Ld ph\sKal links and collect statistjcaj iu*onnatj< f on p<HktK <\\ 

St.! I ' i\V< ! ! k ! U> ^ ( i 1 C ) V I, ! i k p v( J 1 \ s V d ii^ X} \\ ' j! U 

^ion\iN \ . Tifl u iM;. On ii the dr ICO Wvis disposed on u ^ «> *hai ^uc \ >v\r>>utiir> Ir r i 
^hc eoupicvi bilks thai ttie nrovtMoiieii monitor coupled to 
i he examiner contends that: 

With rt'siards in chHWi 1, Jift'Ui tcsefws a (icvfce. csmplecS i« phvsKal hwks. 

<-fiS«n)ig or {*?ijvi»g that tiata cetitM- oh f.(ie c<n){»k><f phvsjf.ssJ hiisjs i lotie, I ssitsrtJ 1, 
voliJTsn ' ja<sis u>hsmn4Sim-> *s ^'''t ^a(l<(»Bu{ Jtisfu J tafomwiu ii <m 
jm'kets ihat are sem iHjtwecM a «etwofk and the (Jata «;«U'r iur a phtraitJv <}{ 
ciis«OH»rs bv exanmana trafik as tf the device was «hs|>i)se<l »« hiiuks tiiaf at c 
0 iviiNi J s. jroftom tSu hriks that th( ptov»\«>md tmimJo (so«(i«f{t rfwitu 'f isju'- 
\ppv iaj) Uis gucs kxk huK touc-cnbt Oi sug..csi vi Ovxict p t^eJ v>j sj^ekJ i nj.s i\ 
dau vcntoi collects sianst cal nitoiniation on packets that aic sen' bct%%cen a neiv oil 

ajKi the data ».etnei toi a pluuht\ of customers bv cxammmg tiailic as \i me dc^ ice v a^. di-^poscd 
on liPKs ihat aa dsAvisstT^am ironi iinks iliat the piovisioucd nioniior is cou >led to Ralhei loele 
discloses: 




rKth Uii ^t^. m Ihtfijsf 



ieve} oj st<:(ini> s.-; nsiiuiiiiijuiii hv a pmrahtv oi immaih 121 and 122. s»cb as 
(ivljergaar*! l'Sf t« sKs. >v(f it o(w as pritiiarv ami the other as backup. I he lircwaHs 
131 aad I2z i'mmmmwnU: wttb eacli itiher v«it atu»t^cosaeclMm 160, sacb as Jui 
EtherwH <»■ ftbts -opta- csfsiaecttoii. ilmlt Lnh X haes 2>-S5i 

Am ijstr re<|wsts «o«h»k trom tlif i«iernet to anv »i f ho fif)S«e<t ssites m«»f 
Um: iio !nr«Hsh Um a|^reg«tcd baixivicffii t« a maisi <>{ sjetworS* routers s Sif. 
wJtKi) !«jm:s«siis as <he first teveJ of iietwark s«:«ntv. t kt ntmcn IM farti'n iht 
:rc«|i«;sts t« htmt <ixternaf ac.tms to tbe t»etw(trk: ui hasted sftcs hv <tot; tv}Jt; ot intsfmci 
trafSlc. (locieC«J.4,Ii»^3S-37). 

!odt dcscxsbes a s\siiL,m and mahod ior pr<n idnig stcunu to Iiutrnt-t ho^tu^ sites 

h r J M )U t U n s , I jul I I ' ! 

[ r V. )K ! jii i n' fo \ H ^■la(.kct^ ^».ut hi,nsv.t.i n \i v n«. i 5 ii 
ii N-> It ^ tUucohet.ts staustica! mloimauon Oil pdvkcts vUk'' cv i or 
ik a) X 01 tniiLis b\ oxammuig irathc as it iht dt.\icc via> disptisui <u in ih^i* ait 
u<^v\»i^ticani troin I'le h iks mat the pio\ isioned mointoi is {,oupled U> 

look distu^ses nctviOik sec!nu> measures ior aii Inkmct hovlmg site 10{> at C ol 1, hiiv* 
i U i IS s<.! o{ fMs svaintv this seauus comppscs umtors 110 that ini \l c xitmai 

S { i \ U I X nkii tt { tliSC I vl N 1 In ^ ( I > Si. s % 

1 iiUi 1 -«! 1 u Uk \ > 1 I I ipd 122 Jhauom 1 1 )Kaic V. I ^\ hi ijni 
lutcrtoinvU K>j o'^ kv ks^riht ^ laiaRhscai aiiaiigemcm to i > i ^ s^v. u sjua 
oiik's t iirevulls iocic nKPtions that Anv usci jcquests <-ommg UotP ht. ha<.nxt to 

am o vhe hosied Mtes must itr t go tiiiough this aggrt^^ated bandwidth to a itwj'i set ot nct'^oj^ 
roatv's I *0, w^jiui liUK lions as the lirst Itvcl ot network >ccunlv ' and i i \^ la louicrs 1 ^0 
St, s.^ 5 i <. it.t ut,s*v to hinu cxiunai atci-vs lo thv, 'letxunk »i htjstcu s * ! \ \ >f ^nt n U 
i (I ^ u ^ i i K s u M ( ! <^ 

Us V ii !K i un oij p.(.Lct> -.tut htt'A^uHhv V ojk liK li «, lai I v(. \ ^ t s 
niaiii ' 1 kxk ot i.c41tttJon oi statistical mtormutioii on packus kxic thcictort, \ \^ 

^iot it.i<..h thi Uicr voUcctK>n o( tbe stattstica! mioimatiou i^ riudc In txaniuinis; tr c s i 
tiiv (itMtc ais|\>std on hnks that art dovMistrcatn liom tiic tonpicd hnks iha* im proxiNiouul 
niont tor is couplea to. 



In {he <ur -^''-n <k it> uL\v.'r '^.^:>ten\ber 6, the exarniner siates: 

„- (ioes. iM<) i j)litte Uw st|f|>ltCirtiott ut cotvittmi ior ain>svj«ice betawsc; 
Applscant'ii argurtienis are »(ti {)ersHaiit¥e Appiicaid l>»s itr^tted that i(»«k' 
tescb 'a dtvke disposed to ex«K8ae traffic cmmaij or leanag a cteta center o» Jite 
CMij^ed |^vsic»l links.- Exsimmer rcsjjpettyHy disaj^mis:, loele twiflies a device 

hl^^ ifKJt wjilBMHi ^ i m )ii um 4 ton - i ) t mcs ^1 ->0 Vi): = t 

1) « (t4*.i«n£^m»^t(^ t \ ilKnimi j ks £ j i jn S! imitu tf 
«atm»^ or tesving tin- d&i» t-iuter, !!>is»{«>;u<;s>l liiioimatKiii is i;<)i1i;s:i*d m th»t the 
mtras«*» rf«tw;tors 'gatfeer tlriterent dnta rdlafittg to She ort^Miatin^ poit^s *rf the 
reiitjests'' and mstc e><t!«Mojjs j\i>piicant farther argues Ihat ttiere ts >«t iiefbtated 
pmstc ttetwttrk S)etwe«n themotixioriitg device and ttie coatrol center disdosed bv 
fesanaiJfir restjecthtily disagrees, foiete ttiscl<»es la f luare i, a eoatfol ceater 
(iteaj i40) Itwing et»ft«ect<;<i to tbc i»onit««nf» device where the control center ts ; 
txhiM Uie xotitm ft»dJ%n.-^^ai{b< Thm^ ImAt testthes th^. matsei cmi&! mihm tm 
«Js{8 e<f«ierV s»^v»te network. 

Xpp^lianJ con cntK ih \i \ c cx< mi ler has not h cohnkIc cc' all of 'k it i^'isons 
c a n ^ X s V > ( xin u I vs i k > i 5 ! t Ks s a ( ^ n t. Mi n idUon 
t4v, KUiL^t saLii iauhet^ia i 'tqincs thai. ine ciCwce i.1iNpO".eJ var ■jo saiJ:*.. 
ci tcung or !c*n ii^ thai data cci tc as li the cc disposed on Iniks Uut am d<. wnstreani 
1 on> he CO ipled .mis thai mo pros ism icd luonftoi is toupied lo feature Ital die device 
<. xannuos ijafht Ito.in ^ downstream pi,rspccti\c is not suggested b> anv tcatJ mg ui loeie. 

Ih . ^. u , o H V i )cL s teachings at coki xir 3 hnes 25-'^5, ^olunu 4 hnes 35-57, 
cOv>nn rcs^l X/ aial torteachmg \ dv\Kv h^p^>^^.d lo ovx'-'v >e '-aJ . vnttiing 

oriC* !i'g i .J K>.5i!£.i on ihv ^oi >k •'Unsh. <i u cl u s s.' ) s 

tkkvS t isposi.d to oxdi line IM** ^ c\ ten ig or Ic, vipg the du% vcntci ^ i ju t Kjv, 
cxarrs lo'-CtW argiK' that A^utcr's/lire^valls/itit i sion detectois a c connected to phvs ^al uuks u is 
< iCc i iiorj lock that k^L taiK It teacJi that the routers'! rev^alK'i it u>iuti dciccto.s collec the 
c\j*^Kd s 5* s Ka 5 lorniatiOxT ai d ticuiails f* il to icac i to col'ect statistiv.al tntoimat'CMi oi 

I \ o nh I its ^ jsio } is] \ I 1^ i Y ( \ s usj K<\ 

] ul iv h un fio It K t-oupkd links tnai ti e pun i-,K>i ns. I it<i ^ i. ip i. o 

I iii iM ' ...s duMnv.'staiistaal infoimatK)n.eoiicspondstoiiot\cnt k>g 
icactiisni o5. iocse, yowcver. bcle aiscusses: 



i fwjith Uvti ot uanh K indint'timd b> ,i» oiRrdtJOite and oent tog 
HWH4at«H at <>^r\itm I-tO •>lu>»n is f K> I, Mmh taotulon. for m«fat.atH)H ot 
ji<^Uvare. hiirdwarss. nei^vork ami smmtv protdeHis, ainS other eve«t lojjs. Iw 
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iostanct' a fuoJi 1 Rt. «*a»ne may {x; used t«r event fog niuinagtitiitnt, the J j¥i)ij 

flit., i.'njim(.' K nsn on its own ser>'er and ss. !).se<I td rosi »!> a«<i ffsoistor all i:\xm Sml>s 

V torjh sv«v«<,<« ot Kt ana <tttwn(.t uliU »n i \s f tisunsiii! 
c««ijs Mrt < oU ^ t Bt log i .it<! b» t<>a'-t<inU> H«>«)t*« mji tt t ma t>i <4Ji S ! <m »t h 
V\i*c» » Jog rtm'hcs s »ser-ddjned thmJK»W, it is traastwTOi to a ««n<:ra! 
B8SHage»ae»a svstem usaia satwe store sjmliorward istsclianistu. 

\ iU Sin c L ■.u n s ■!!. X ! ! ' st i vie 

rck \ i» e ^o (. iaui 1 is bv locie it a< hii g tii<it, \\ hei\ a lug loa^^ es a u^ci Jci ncd tlu eshold, it Ls 
iian-.Iv jeu to a ceKtj<ii niaHagcmcjif ^jsiem using a vccuic sto e <j \a forviard net ianj>iTi " A 
ncciuc -.u^jc «nd ' aia i Cvho i sm mcreh rcK les to how ihe files *rc ^o^ ^ttnagc 'rieaily, 

U i,in < i 5 i !^ V c > id L .1 ( I n s u tv! VI ktv.fi) s Ml 1^2 

.Ovi vtl '"'vV u t ' hi. twdi.s 12! 122 lift in 5 1 inun^v'nv i j i v v i ali'c 
xO. atUL k, Mgn< auos \t'ai,k signaiuics are discussed h> Hft..v. as i iiosc c ig'ncs uu on a 
dcdivuted ho^l and monitor network iraffic foi attack bigiuUurcs and jkn psisonjKl s%hcn m 
avtdvk ts detected. The eaguie 351/352 looki> tor a select combination of packets, that m.Hvhcs m\ 
jrohk ot (.vMjpi^'lunsnc hs* t)i hcI! knomi attacks ' |kx>ic Co* 9, i inc- 6^ <i^>l \ti i^.! 
vi-nai'liv-'s div. u lit. 1 5 Kt. ^'JtNlkd n*on.UJOJ 

\ppt.J,js (, 'iWUs 'a X IocIl s lVv-xK Kj ^io U i^l ^ at a > a U s e>l 
'"tat Sv ct^l niomwiUfii \poellani iirhci ^ontcuds tlsai lot i. (k ' ) u s iv<. 

"kxh.*i .o prcic*. I pimjsKWcd custtnneis sites Irom iUack but iustvad picpovvs tiia^ Hk 
iiifcinct >„omic:ctioftv t(.} each site arc also suflsaently laigc io pic^ cut iloodms* attacks 
\v<.ouiiug (o ail v-ni>odiment oi the present invention, the si/e oi the InteriHH ^.oimettions !•> 
base loa ^e^o^'' o jV mnn -jer oi users that \n dl ho connoi. (ed lo £■ ich Mtv. *t oikc h bo 

s / •> s i. t I i !S af Jv. < <. 1 i i 1 01 t, 1 Ut,d K 1 l1 ^ \ ^ 

I <) ! I K 1 1 <v 1 u>i 5 I Ui^ Ik jucI unsiH luijIo c i x i_ > s v. i^U 

lklUoi s t.dcpk>\iiK5U ot a \svh mU <ind IHs vvstenis «s .u*.ij,tiort,vi MtL , i 
M*b^taiuial'\ ddk'eiit llvu tnc cLii nod aitangcmcnt im oh mg a device to c%<ixnme traific 
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mlbnnaiion on pac^eis. 

\^.^okL V'>' "-i^^^*- ^^^^^^ dcbcubc al! i)j die fvatujcs ol i.hxim I uhap^c-^ < \ trc 
dau«, ioele cannot aTiticipate cl ami L 

Claim 2 fmthcr hmitt> claim 1, and recites th&it "the monitonng device is coupled to a 
control center through a dedicated, private network. This featiirc is not descdbcd by lode. 
In ihe advisory action, tlie examiner argues that; 

AppJioBt fiJrther arjjwes ttsaj tlHsre is hi» dedKtsttwl prfwiJs ntfiwork Jjetvrtfeii 
the msrattoiiMij <tevke aadlhe t-oitfr«t cejiter dSsdtfised toy I«)elc> Ksattam-r 
mjx>f.tftaty dlsi^mis. iSsetos&f ia Figio* i, a tdatrwi cestcr {item Uii) being 
»»inect(!tito the nftmtturu^ <tevji:e wiiere the (»ab«t>r center is behiad the nmtm 
tiM tirt'ftalls. Tfttts, Joele teaehes th« cuvArd center mtUn the dats ceater's private 
(jetftork. 

The examiner readily admitis that the control center iteni 40 is behitKi th^ routers artd 
firewalls, ami thus the exaiuiner argues that the amtrol center is within the data center's private 
network, Hcascver that Is not what Appeilani claims, rather Appellant claitn.s that the there is a 
dedicate>l pit^.iic ucn.o'k ^^nfmii :hc.oauo\ .cm-^r ano. 1ic rKMir-MU^: at-Mcc. 

AcctifCiUigi), ^UKO loflc kiils \k> iXc^>vixi)c aii vi llie toauuvo <A clau'-i 2 mrangcd as m the 
claim, ioele cannot anticipaie claim 2, 

Claim 3 

Ckiim 3 fisiihcr InnUs claim 2. ;utd leqturcs tiuu the device include a conimuuicarkMi 
process that commimicatcs the statistical infoirnation oti packets \\ ith the control center, and 
vklnoh receives ijuerics or instructions from the control center, 

loeic fails to mention any device that communicates statistical information on packets 
u Uh ?ki Ofnin<>l ocrsTi."i oi winch receives queries from tlic control center, fode discloses esent 
loss not stattsttcai jnibrmation on packets. 



(. i. < 1 n !is J,um 1 In lequtima ^h<u I <, nu iJSo ^ i i < wax device 

<.s\i La a a.( lui<.s .i punoN'^ to «mJ! nUvistu ihwaji. dtiikii ol sv.xjco aiu«,ks icniOMPg 
iW\4ui k uafiK that is deemed pmt of an altack Neither the rooter nor tno t jic\% d\\ no- the 
mtrusKJii detection s^steir mr the event log managemenl ^>stcm 140 is a gatcv^as de\icc 
Mott'ovi.. none of 'Iioh depicts mentioned b\ lock install tiiici'- to th\\ar. dcnud ol sc^kl 
:.itta<.kv hs i ! > 5 ^ >j 1 Ihc s'l It 5s dc<.ni4,d put t ' > J u 

lock ' Si. K -its i 1 It I K,v. f\ t K\ llHdtktt(i-i \ 111 M ' t\ ^ \ i ^ 

budUl { j:siv ^ <M u lute s Ho\vt,\tJ t >. inuit m tiii,' ci^ and iU^sd^to i ^ K \ ^ 
dunust ul i prov.t.ss lO u stall f dlcii> loelc also disclo-^es the Ti\ o\ ku n cx)ni Uvi ^ Uu 

acdjttes ,« d hnnx'.cs Uh e\tcnsi\ e filtering to allow ad U c que les and pi itrng tv cenr. hs 
stoi J t.\>. -Ji >">^<iui*.<^uut.ouciation' I his however has. loanc^ancc t ^iht i svd pnxtss 

o ji ■^i*^ i kc ^ Inatditior Uv\ 4K0 disclose^ that *!hu. jiuh asu-n ^in i -^ok -•'^ 
cot*nKf!iv er >'^l •^'^'^ hv i m u stus ^ i ^\ \ ^ n\ \ i k ^ h 5 s is 
att aK smnat iK^ iutus a kI i \un i^spons^^s is \\tU <.\<,haruv. \ vv-p i^e i ks- .ua i so 

ic 1 ions |oa ^illenng Houcscr, again this doe not dc>cril c a pi^JcCss ' to nistal U tcrs 10 
in\ art duuAl oi ser% jlc altav bv rcmox mg nt oik traffic that is decm^-d pan of ati ai. < t.k 

C -fe lm 6 

Ciami 6 fuither linutii cbnn 4 to lequirc that the gateway mchides "a pujcesi* to aggicgaic 
uaffic fionj the various links and to produce logs and detection hcuiistics." While lock' cleaHy 
ircnuf^rs v^»s. >5 \ nc^i <U all dear that the event logs of loele icsiilt from aggiesfaied u-aiHc fioir 
±i. V, h > ■s !M - \.Nt. iix !vs th ^ CvC.it k-g-^ do not .kxf. v oi sii<_V^"^ ^' ^ ^ 

LKh iKd\K-^r ol claK'i 1 a-ki thus cUim hat k^sl .series Jiutne; ulstu^g^J^i '>a^ ^la 1 Kok. 
loele. 

^or ihe purposes oi 5lus appeal oiih. cianii<i; / and staixi 01 \yjc\l 0, Cla.Ji s • 
reprc^icatanve oi this group of ehsms. 



.vfi 5 s iu s ! K^-sn^ V E iij ^ cf coiicctmg, nsm^ a pu>M- (in d i K t o ^ ^ s5k 
' U u .Uon t h \cis that <ue sent bci\"s<ceii a nem ork <«id a [>!ut ahn ot i. usu>u s flii. 
vt'ulu b\ oxanumug iraihc on stlecied imks m the data ccntei *js ii the collecting ViCrc bcmg 
pcrkMHied on luiks thai aie dounslniam trom the selected links Uiat the pto\ jNioncd nioniUT 
dis.xHCv' on .>n<l ^cm Tunicatsng data tnei a dcdKatod lictwoik, to j ..onroi a»nu<5 

I s.asd ) V ^? > V li >u!UH uamtK JiaUoikcifOii ts Pvrk>ii7iod )f a >.as.on v.i bOM si t'lv 
k.(){ki^on s K L pcitorm on hi^s thai wcic down stieam iwm Jit hnks dial Uit piO'vji.ioficd 
monitor Is disposed on. 

Whtic Ivselc mention ic piOvtMonmg oi iire^vall iraiiic (lode Co! 4. Imt 5| fock coc*^ 
no J ■x.u^'i vonvcpl oi pr(ivii>ionmg oi a device to? coUcctiun ot ^tau-iiKa! daU on << cu^tomci 
btiMNt^ I UK col v(Us fe,^\as >vtu^}r<-cnhukxdowuMrcain fjonUhe sr^-. l\U*no a (nUos ts 

^oniboiHocT i ! ft s%o^ A and a plura! us ot iUsioiJKfs kxk n^vonlI^v'^l un*.-* uii i -ii i cittcvl'er 

.KTics thai look foi rittack S5g3uta.cs Attack wgnatmcs howes er are not ba^cd or ct)}!ev,tJon oi 
stati&ucai jUoiHitnson on packet fiow>» but mt»icad on knov^n, j>rt, tsubhshed tctnputc^ ol pucko. 
t-oiiknis that aio dccmetl an attvick Ncithei the attack sjgnatuies nor an> other tcalurc ot loclc 
are done on a provisioning customer basis 

Claims 

ilann J<. winch tcc^tCN that the device is a gatcwa) dovsce and further inchidtis snsiallmj. 
ii'vsvt r-is' . - i \Ail a.i . icr' v.n.' L. AMr ^^ 5. a J ic that IS deemed pan of an 

a".'^\, aL^^s^aoio i^>5 ar.aitM^oas loa^Ts k> thtvsc gt^cn mclunn 4 

<MmM 

la? r 1 MiH J i 1 . . k\ i.oHectmgof ii o \ Mon. 

d-^ asgued abou 4). kiaUoilvMm otv.ui<. tor cithci inbound 01 ooJiound iruiih '.s I o 0 
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Clain^s 11 and 12 

K 1 I ' J vs i !is . [ p^al <: niv, cldtms 1 1 and 12 stajid or tall togoihes i Uitn i i !•» 
represeniauve oi iius sroup oi ciaims, 

C Lum 1 1 cafis a,u ajiangvinent disposeti lo muiiiUH d Inik bcmoer a tIaU ccutci oiiii a 
nefvofk io*- th\\ astmg denial Oi servjcc attacks on the data centci CUnm { i mciadcs a 
pi -f meJ .7iorit«r plutd on se'cttul huk^ m ine data oetitci tn<H e\vij)ir.es tialt 

v5 s" > 1 \n Ai iA\^^nli.\ . ^ K ^ahn o 'K u '1. ilt 

p5 )^ '.hJUt.i vu-^to i v's 'k pio\ jNjonto nioruioi okumamuig sqia at(_ cou h'oi icv"^ ' "-^^ 
pri>vsi,K)neil cu^^to nor and a ^\ohd tounici log thai actounts> lor ali tralfic ^eon on the lin^ iLat 
the provi-vjoned monitor is coupled to. 

f ioiiii 1 1 iiKiudcs the fcatires ol aproM^ oncd monitoi ihat tollcus siansticai 
u oai a ^.n o» * "'luraiH'' pKni<>ioned cuNtomers uhith torrcasons dn^ isst, 1 ^ x ^v i t i o* 
dvSvMkd kxk in iiddit{on claim 11 n<.ludos the v it trs. t' f !h pu j-^auKU 

'1 ^ it 'ii 5 U V,} IK O J! k > no I pu KOKt H It ( Mil i u» log 

*ha tXviUU is \ r ah traLic ncui on th^ link iLat tUt, pio\ isiouai nwn.t^v vOap <.d to 

1 he cxanint-r contends vtjtli resptU to these Kitei tcatares that loele teaches thv 

riO\ isioncd monito. maintau mg s^epaiate coiintei logs to each pn^^ isioncd tustomci ^locle 

<.o>UT« 1 6 l!uc> -i^i 46 J and a qloba^ tounter tog that ai,coiuits foj ail traffic seen on tno hnl that 

du pi M tu t i\ L ' u i ' ^ s 'S4} 

Kvl d >v.^ i».i->Ki.s V J--, t tub V J(.s<.; !)v. w Lci ilv. sepal ai<. cot itv' iocs tu 

i ai^li ,T tn K T ^ 1 . ^ (> { u ^Ko t ^nuniti log that accounts lor aH tiai+K ^^ecn on thv Imk 

V^trd agh lO c v. u ' o' u 0 ■ 

A inurSii kvL>! oi securitv (s. snatnlawieci hv a)}<ijx;ri!tiOiis; anti tvt-ai l(>i> 

soitwa^re. ijannvare, DeUvork aiui stTUjUv fJioblenis, olSior eveiit Joi>s>, i ijit- 
««sta««> a limii ihC *og»«; mav xmd t»r event Jog misii««getm-«(:. ilw ! ivoli 
1 M: eiJiijae is ran o« its owa mmr and k used to rwU up aitrf atonrtor aii tivmi bigs 
m liis iatcraef Jjostiijg site, lliis allows llie Jss&A (?t the Internet tjosttng .site t« catcii 
ijsav .sec »ritv issue or othtir an!8.s of concent tlnat niay anse, Fi vols msttres the 
f.atitmtiitv of eveittj: log *la(a for «:rt«st;»!f!v tjiomtonuft tiit sk<' oi ati N t t ve«i !«gs, 
^\htH» J«jim»<.I»csau>-t.r <kliiiLd U !i Si iJ sis tt aiskjutH sfiiiU^J 
(»A«Ai,e«ieHts>Ntsi«H!»i»g<tv4.<. i! ) 1! t1 irdim<.ha»«^!« t s\ >ii I't"*"**'^ 
c«idij5«rat«m factltties and a Ijrosvst^r wsiii estenssvc Slteritij; to alktw a<{ h«c 
qjienes ami pnnttng of imtrafiv stt>r«t evetrf log."! axid event «n-re{atMm. A scn^Jt 
ma t« extract f)«rtjne»t iiitorjaatiOH tvom tht- Sogs aans Tmsli. 1*Sms scr»p( wifi 
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{» devei«p<!(i by an <J|«r3tJons Maiiauer o! tb<; laterm;! hosting s»t<; t« pr<m<!« llw 

by appropriate boa-personnei to ensure thai tht lit A wdf have ihe data m-cmarv !« 
o^me? tbe swurifv ns ^.^ttKi Vitdinir <n -'k < ie^-i^ i> >k i <.<Uu{ 
prt^clennined period ai time, the :N.SA nK»BH<>f« the i iU^ ««({ tijkis itpproprutt*; 
actions for n& secunfy rdal«d aiarinii. the NS A ami ISA hav« rmd access t» tiw. 
ew8t log msaagcHwirt semr. Agaia, Uie ISA approves access t« tftjs sen'er, 

lofie tivK'S ^le Jor-, not !ui iA\.\i \\ uo-^mIv ro. n, f.k su^ ; J 1 o .-^0!\ k>:;'- .'.o 
scpatatc; t,^>utnci loi each puniMoncd cusumiei ot a giu'nij counici log Lat a^couais lo: aJ 
irafhc seen on Ihe luik. Moreover, Iht cv<-nl logs taughi by locle are not statistical counicns ihM 
collect stausiical inibrmtHUJn on network packets, but instead arc wnxrentional XT logs of e\cut-. 
sjjch as sottwarc, haidvsare, iit*ivvork mid security problenis, The> are not counters fogs of 
staiisticai tiifomiation on packets. 

For the purposes of ihis appejvi only, claims 13 and 16 stand or fall togctlicr. Claitn 1 3 is 
reprcsenta.i^ yump ofcLi-ui^ 

Chuiii L> s.-i\os io :u!t[iv! UiNunguish the arrangenw^iit ol ci^im 1 h> tecrsunui^ ihat the 
gatcwav nuiiufaais i;iobaI j-ackci log lor all traffic, lock docs nc*! descnhe ihe global packet 
log. The Iiig> that locie docs describe are evetu logs, conventjoii logs of c%'cnti> feuch us soHware, 
h;miwaa\ network aiid security problems. The event logs are not global packet logh. Appt;i!aut 
discusser global packet logs in the specification at page 1 2, line 1 2 if the Board desires further 
infonnation. 

Claims 14 and 1.5 

Foi the purposes of this appeal only, claims 14 and 15 stand or fall togethet. Claim 14 is 
rcpiesv-^ntatno of t^ns g-oup o! t'.unss 

Claim ' ' unA-^ V.1 tHP \ ^ to icquire dial ihe gtoinJ juCK.c5 l<>i.^ s..i.KKio > r -^k^ o* .\l 
tuitiic ^ccn on the »uik to tiic gateway is. conuct led. lock doc^ not ucnwU)^ Jiai ihc v.'\ cm 
logs result iiosn a sample of ail trattic seen on a link Uiat H monilored Claim 14 tcquires that 
gaicxsay peifotms the ttmction of the base claim and claim 14. 

loeic in (.onirast, while clearly not describing the claimed global packet iojr also does not 
des».nbc tbai the "opeiatiotis and e\cni log matiagernent system 141)'' actually perfttrnis .iny ol 




iiofip-.on^A . 5 IV (.tri'K. ..ojis joqLK'cU b> claim 14 HuU is, Sho \>prtiK> .5<K\0j\ o^' 
majiaj:ei kiH >^von 1 + sjcidsci -^so^kIcs ihc global pi\i,\c\ log. nuj monilojs Sii uuk. 

L-i .nni.aNt, i(jt>ie UisciCic.-. thai the ''opc{allou^ and c\cnt log managcmau sv-^ieir 
usc>> a The cngsfic, Spccstically I<x»le discloses thai: 'The Tjvoh TEC ciigmo is luu on its own 
reiver and tisal tt« roil up and monuor all event logs m the hUernet hostmg }5i?e Ibis aliows 
th<. NSA o! ihe Inleniet hosting siic to catch aiiy security issue or other aicas oi conccir that may 
asiNO i ^ . i en.Mucs the cmuinuit) of event log data by constjuitly t«onitonng \hv <^i/e ot all N I 
evem logs: 

Pu'VisM. h - \ Jh . [vivs.u^c, NT reim to Mioa>s<>fl\s NT operating -system. 
lioAc\ci be >Jo,lJ NT cseut iogs are noi global packet logs. 



Claim 17 rurthej- hmits ciaim i2i and requires tliat ti^e gateway is a emstered gateway aiKi 
i.uviudc<^ a piuralsty of prober and a ckistcr head, with the chi^ter head ha\mg a pavesi> to 
aggregate trailic trom tiie probes and to produce separate counter logs for each pro% i^Ioned 
oustoHier, and a global coumei lor and p'oduce detection heunsiic* 

'Ihc exanrm coniend-v thai socio ioaJics this feature at Pigiuc 1, (\\ 6, SiuC'. ,n 61 
loelc posNt -js no ti-aclniK-. thai v^ould suggest much le^s describe a clustered gatcv^ay. a phiraluy 
oi pjohcs and a cluster head .... 

At Uk Cited passage of lock, the icfcrence TUetci^ discusses two httiasion Detectson 
a\$icm\ and Firewalls, none of them however are disclosed as ciusteied iuid mcludmg a pluraUis 
ol probes and a cluster head ... as required by clmm 11. 

Claims W- 22 

Foi the p.' ' > ^^ s ol appeal only, claims 1 8-22 suind or lall togctiici Clains 1 8 is 
"cp{est;nt.)U\i' ^^ < , s i\oi n ol claims 

C losn m' cr -i}' N up i >^ < { h>„p]o^'^ 'K.dnwjh) \ ii 'C^ <s v s a 

rx<,mi.UA ivi i i< a. link o-a which ihe punj-isoncd nioniKn in Ocp}>Hi-J dhu w a* il,^ ih'a 

be 01^ niiiepcndent node m the tutwoik cipabk ot issuing attack wanimgs and responses t<.> 



discitxses no such aaangement. 

Ciainis 23 

( x^i\.i I \\ \ iUAiis he an^mgcmcnL ot <_j<mu 12 to rt'cputo lh.il sLt I'S ^enlc! 
auaplcd lo dihiHigu sfi an attdck on a single provisioned customer associated vviti^ a x uiual 
moiiiioi wid iUi attack on the hiik(s) on v-hich the momlor i$ j hysicaily deplo>cd 

('(amis 24. 25, 27aud28 

I or the ourposcs of this apj cai onl), claims 24, 25, 27 and 28,slaiid oi Mi logelhc 
rime s ^ no ckmi 25 Claim 24 ks representative of itiis g mtp of claims 

C^5 iu 24 d ^imgiu^hes ovu loetc smcc the Kfcreucc ta-ls to describe iuii ^vl'evung 
stais'K 'lio! .uv> loi apiurality o' ^ us. ■ss! <t ^ , iU->, 

lipks OP H nti. 5 coL.'tUJig occurs and n auiannng scpaxaiL vounte^ logs toi piO\ ss^on^d 
;.usto«Ki. and a global counte* k g that accounts foi ali tiaftic seen oi the lmk\ on vi'hsch 
colleclmg occm's. 

1 be cxantmc" used the >ar ic bai.i,s to reject claim 24 was used to leject claim i ! 'Hie 
>,xdunj cr v,outcnds vMtb respect to these later feature;, thdt loeic teaches: ' , the pro% stt nvo 
ntonuoj I liMinarMj ^ep^uatc s.outitcr lojis loi cacl provisioned cu*.toma (loeie, column 6 hntv 
45-4h) .\\. so > . oaiii^ ! o n \ t . oauN Sos ail traffic ,^cen on the hnk tliat the provisioued 
uiouuoi >.oi. '!..d > locic, v-okn ) i " imcs 37 6 h ' 

lock dues not speodscal!) suggest, much kss dc\(.ijbc collCc'ing suujsnca! iP<i^nra*'on 
toi a pluraniy o. jiu>\is.ioned custonicis on links that aic do\x ifeiream from Unks on whub 
colleciu g occurs and maintammg separate countct logs fot each prosisionod custoiTieu and a 
global counter log that accotmts lo all tiaific sec i on the h«Ls on which coilectitig ocv.ius 
i^-^cie. at <\'>I T*. s o4 ^qt otcd abtne tu the disctissson of ciai n 1 h docs r<»* ?dcnt'0'Jiv 

she hui^s o 1 ^oh.au.^ otcuts 'lie event logs a^c no» couiHC io^^^ iios ajo 'iu scpasa'O 
oounvcr logs lot each provisioned ciustomcr loi are the ^,veni logs ^ global counlei log that 
accounts ft^r all traffic seen on the imks. Moreover, the event logs taught by locle are not 
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^.omc lUon i<>g>N v>l cvcjiK Mith as soitwaic, lwni\\arc nclviork and sc<-uru\ j-^io^jonis 

Claim 29 

( ! ^ •> di lo a iiiiJboU o{ llmarUug attckks on - s n data cc^nc aiKl 
mt.ludcs coilecUuij staitvijcal iiUoimaUou for a pUuahn oi Imks ihat art dov,iis*ioam Iioni hnk»> 
OP which volietuag ^cuxi>. periormmg Uaiik analysis on tlic toOoctcd statis-tKal ^niomiat on on 
t pc{ downstre^iTn Imk bavis to uicntiij malicious tralfic and communitdtrng aiciis that ari^e 
tmm the miiiic iuialvsjs. 

C iU ^ 5> Ku -.iio^ HcHocK i KC the Kf-utcrt^ i i-'cl^.atu cil 

s.oKLtii ^ si!^ SI iusi k! 2 1- ahd fi atidiiu ' k! l ; mih uiK 

^ ui vs > 'ho ^.oJlv.IvJu s>.i .siiv,ai {nivJimaUuu on a pei dos^uvlrcauj iuik bdNj"- o <dciV is 
mahciuus ^laftic loelc does not piocevs statistical mtoimauon to peiiomi anahsts rK ntii s 
m UK> MS 1^ fsv Ra*hcr lode uses aii IDS svstem thai looks for au<Kk signaiiutes 

Claims 30-34 

hdi h i\ tliu ns It) 34 add t^istmct ftatuios lo distuigussh d*uin 29 o\<.r ioc'e 

ar ni^ lock does not describe \\hethcr at CoL 4 'mes ■?-20 or cKcwheie that 
\ I a i ! MS Ts statis«Ka1 infonna'ion collcc vd hr in !ud!\nii'al Of c o dw 

'aiks as ii Li hi i Lk dt'ts int dcstJihcitiat vUWi-* -.is kk-k.^ ■> s ^Utisti^a n\v u to 
docs iock ocscrihe thai anahsjs is pcdormcd on tJattK rtendeti ior an mdi\iduai one ot 
dowjjstioani li iks Raihei, loeJc discusses back tiacmg ot addresses rom v«hich aitack-, 
>!^gmaied tioiv Vui hovvevci deals v>tth tracing the sou''cc oi a DOS attatk Clami m 
toTitiast t] nns *o use addressc> to niaunam pioMsiouctl IX)S moniiormg a pu <.t«sionicr 
basis. 

{ i V. i V 5 It Hcurs Oil a aoxsns ^ it k 

basis is i o uis.csi.un v Rurivr iV opciatioi s a k vV;.n og '^magcnicni tsst^j -^x"* 
does not ieature this eletBent. 



ocf^jr^. or. a ckA-^nsUcai 5 huk basis a dtdicaicvl hardened 'jtisvotk. lo a vonuol ccUvwi l u { 
tlctetnjnc. a esponsc to Oil ailack are not suggested bv kwlc toi jcasoas aisv issod >.bose 

(lams ^ I directed to iikenng the tdentiticd malictouv nafhc and to cinisnaic ihe 
.naheunis trattie iunu teaching the one ol the dounstrcani imks alios^able i ver loele tor 
anabgous reasons generally discussed in claim 4, 
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Appendix i>l C^^imms 

\ i V 1' H ' ao vUspv^Ncd lor thw jriing denial oi s<,n Kt. at\5vKs on a daU 
center, the moiutjormg device compnsmg: 

3 ds,v cc ^.oupled to phvstcal inik'^ bet\^cen the dau centci and a TifSsortv, \^iin the d<. vi^.e 
disposed to cxainire tralfic emei'ng or leaving tji<^t data cenicr on the coupkd ph\M<.ai iLiks md 
<. 0 ht ' s{ »t } vt 5^ al jp:oi tnalion Oii packets thtit are sent belu een iho .let \ ork i k' vh" d<H i t tt 

Has dAi>o 0 i liUlv^ tisa <uc vion jviunit {iotu Iht tot. f't»d itr^ s has. tiK ^ io^ i^io \t n o irot s 
coupledto, 

2 FiK ^nonitonng deMt.«. oi dami 1 wherein the morstonng de^ ice i coupieti to a 
con'rol ccntct through a dedicated, piJ\ate«ct\\oik 

i. ! mi ua*.a'Oii pio<,e\> ttk i vonuuunuatcs {he slaUxtua! uuoanauoi. o » packt ^ v^'*^ 
li i, coniroi centci and v^bIch retctses queries or iiistiULiiom fio.ii the conirol cemei 

+ ""b.^ inonitonag dc\ ice oi cUmi 1 \\hcrem the morutoitng de\ sec i^ a a .tewas 
device and lunhcr comprises: 

. iu \ ! staJ fdters lo th\s in demal ol sorv kc aitav,L^ hs c^kh ni^ x\h > osk a. Usl 
that IS deemed part of an attack. 

5, llie monitoring device of claim 1 whereiitthe inonitomg devke is a data 
collector device. 



(s. flic iroiiiioring Je^ ko of t!ai:n 4 whciC! j ihc gaicv'a} compfiaes; 
a prv».cs ^ to ;tggK>g;Uo traiiic iwm the various sniLs and to produce logs mid doiection 
heuristies. 



<.olkaav^i UMng . >uj\3NU)iicd monitor staUsiKaludoundUorikiupacsvv.i.'^ '^cU aso ^o^\ 
betwcui a notwoii and a pkiaiity of cus-tomcrs oi the data cenlci h\ exanumng ixMhc t)n 
selected links m the data ecntei as if th*, coUecting wen.* being perlom ed on Inks *hat are 
dovtiislieain fioni the i.daied Inikv il at il o pto\ isioncd moniior disposed on, and 

comniimicatmg ihm, over a dedicated network, to a eonimi eenter. 

« Hen oniton g de\ icc oi claim 7 wher^m iIk de\ ict is a g<^^e^=i: a> d<, v icc \^ his«h 
I untier c<.)mpnse.s: 

mstaliiiig filtcis to tl wan dcnsal o vservice attaeks b> renioMiig nctw ik iraiiK* that is 
deemed pari ot an attack, 

9, The momtoriBg deviee of claim 7 wherein the monitoring device; is a dMa 
collector device, 

10. The momlormg device of claim 7 wberem eoileettrig occuxs for iiibouiKi and/Or 
outbound traffic. 

11 \ I . ! i .'5 ^ <. 3 K nt disj>i'-»v d to monfttn a Imk betw ec'i v' aata op.v.'^ a? v u notv o5 k 

a riO\ 5sto 5ca ntonucn pU^cd on selected links ju dte data s.cnlci so iiat tne '^vn iSiOnoo 
uionuof examines tiailK crittnnj, oi leaMiig that data center on the j.eiected it^ks at>c* ct)Hocfs 
siatisucal mtomiauon tor aphnalus ol punisioned custoroeis. which aic on hnks tna are 
dov-vixstjeam hova tne <>.e!ccied 'inks that she pjovistoned nioni{->r is disposed on she oiovisioncd 
monitos maiutaming s^j,)au!'v <- ^ iKi „^ 1 ^ > - > <. i iuiiu u 

a gloDal eoisat;.! ! h ^ acuHiut-^ toi ali iiatijc hcu'^ j 1 tutu \^ . ^3 ^ l i 
tiKmitor is coupIsM to< 
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mai'Urtin^ s;„Dara*o f atkci iogs for each moiiuor 

n I an angcmciU of c iami 1 2 x\ herein the gats. ■vva v Tn<3iniaHiv <i glo v * i>atket log 
for all tmffic. 

i = u ( Li u i <. ' i.hmi i^^vUKUhHlv i .a} al packet log mciudes a satinic 
.\i J. K st.v 5 1 u s.Tik ' i! t.b Ail gauxsa^ is umnck vU 

1 ^ 1 arruBgcr 'c it of cUuni 14 ^fchciem packet analjNjs loi a ptUUculai n omtoi 
happen-, In' classsi y?ng packets Iwsed ot adJies^cs at the time of the analyisis 

}( I ho <iiiim^ci :eni ot dami 3 ^ whercui the gatt;w^> niamtaifts p »cato pava-ots. 
kcK pii g both a g\>bai packet log and a packet log foi each vmual niomt^ i 

1 7. The arrangement of claim 12 wherein tlie gateway is a clustered giuevv-ay and 
mcludes a plurality of probes and a cluster head, with the cluster head having a process lo 
aggregate traffic from the probes and to prodace separate counter logs for each provisioned 
customer; asid a global coutiter log, and produce detection heuristics. 

H He.rr'i \nv!' > 'n iivl iP {n. ) ( s sk> s k \v ^ id 

n$oni*oi loi lac pnvsica' in k on \shit,h ihc pu>% jsionod .nomtoi i-^ dcpiO)cd is 1.0 li^i v> ar 
. uicpetidetil nocc the network capable of 1 suing attati v^aramgs and i^sponses to attack 
qaciKs I depeuut* itl> from othci \iftual motiitois ol the pu \isu ned -noiUti 

I t .i"-. .hv ^ U o^ isiooed monitor inthidrng all of the 

p o is ou^d ! '< I s \ Hi tal u.oir v\s a^i as is n."- di{>iributcd ncfv^oil^ 
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^jUesruuduirj' bch^ccJi vntua' m> iiJois timl th^* rest ot tiv ic o k joJ k auc^ [TOccss to 

rjnamtasB cumrauincdtioiti vsitb the conirol Cviitu and ttt n.pj> lO atia^^k qaciios 

21 I he .arrangement of ci^tni 18 vthciem the provisioned nio'iitci \ \ Ltu \l iionuors 
hau liheis installer or a |Hr wtual iTtomtor basis 

ZZ i li <iu < \ ^iio claun H \shtreui v\Ik i u {iU«al <^jOx!Uoj t aca-^ a at atk 
a T i .sKH vvi tusunuti ufojraation is cofl\CNcd both to tlic cotiuoi center an{5 to ii nosinig 
pKHjuei s managcnx-ni unertace 

2 ^ I he ii angCiT!;.m o! clajm 22 wherein ihc coiurol cenlci is aaap'ed la cHstinoujs t 
an „ua<,k on a ^ni^^ o j-550%isioned cuMome^ associated s sth a vmiul Fionito' ana an avtack on *he 
linK(s) on which the monitor js physical! v deployed, 

24. A method of Ihwartjng attacks on a yiciirn <iau center coupled to ^ network 
eomprises; 

collect in^i {Statist ica! iufiinnalton ior a pIuraHt> of provisioned customers on links that are 
d<.A(.nsuo-> ' ' >> , V h.'.L Cv'' Lrfii.j! occnrv, and 

nKJixU'.au;.^ ^cpawsio coantci k)gi> iui each provisioned customer; and a '.'lohui ctJuniL-r 
log that accounts for all traffie seen on the Hnks on which coOecting occurs. 

25. rhe method of claim 24 wherein coiiecting occur*; on a gateway that passes 
network packets, the gateway being disposed at an edge of the network. 

„ ' 1 'j J ^ 1 I i t i s, ) p . 

m the network tot me data center, 

2H, i rse method ot ekum 24 tiuther comprising; 



ideutjfj thii inahaoufi ti attic and to cbmmate ihe mahcious icatUc 

29 A 'nclhod of thwarting attav'kj* on a % iciim dau center coupled to a tu oj k 
comprises: 

«,o|ScciinL' statis.Ka! iitoima' oii toi a pluialitv ol hnkv thai oo\vr^,t c\ n <Mn !»nk^ £> i 
which coliecnnii occor-^; 

Imk basis to identd v malicious tnmic: and 

cotvimun jcati ni^ alerts dial, arise tram the iratt le anai vsis , 

iu I JixtUod of claim 28 v^heiem pertonning analsM^ o<.-.ar^ ■>'. s .tsstkc. 
it' ri. atioh t > kxka ior <iiT mdi^idua! oxie ol the dov^nsUtaTii huh.s to iJ^nii*^ yi icious uatt t 
iatoded for tlie individual one of the dowmtremii Ikiks, 

1 i Hie method oi ciaiin 28 wheicm tommuiitcatmg to a contitU center oc^^urs or a 
aowiistnsam imk basis. 

V>K I' X !i < J o! 1. lai'n 2.S vshc'-cni vutnn \i k iiini wcuis Oil a dovs.ii<>ticajit hnk 
hasis H) a t. t, > t ^ L't^*- anics i ii.spon>i. io hv at ack 

Ih^ V timolol tiaiTU 28 wiicioin umniuti^Kahi^g o^.t.ai^ oti a uo^^ nstrcu r *nk 
ha^js a acdicatcd haidcncd network to a coi^trol center thcH deienunius a responsii to ihc 
attack. 

3-4 hci^aa^ >i - .lusmg 

tdici iis; i\ c idi^nt I <. i ilioun taiiJt and to eUmmato the ma'KJ >x la 'k no i 
fva^hmg the oiH- iie dowi sireaui hnks 
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